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ARTICLE INFO ABSTRACT 








Keywords: Nearly all dynamic positioning (DP) operations are characterized by limited time available for the DP operator to 
Time detect and act upon a loss of position. Collision risk is analyzed with a quantitative risk analysis, which usually 
Dynamic Positioning does not analyze the human contribution to the risk picture, but rather uses estimates. The objective of this paper 
ee ee is to evaluate the way time (e.g. available time, time required, perceived time available and perceived time 
required) is addressed in risk analyses for oil and gas DP operations and how this affects safety. The study has 
found that time required can exceed the time available, and that the effects of perceived time available and 
perceived time required need to be included in human reliability analysis. In general, awareness needs to be 
raised around the importance of time. This can be done by including the different aspects of time into risk an- 
alyses of DP operations so that effective risk reducing measures can be identified. Furthermore, decision support 
tools should be developed that integrate the dynamics of the vessel movement over time (time available) and the 
response time of the operator and system (time required) to address not only what, and how of decision-making, 


but also when. 





1. Introduction 


The DP system was developed in the 1960’s for offshore drilling. 
Jack-up drilling platforms could no longer reach at the water depths that 
were being explored and anchoring was not a financially viable option 
or not possible due to a congested sea bottom. The first DP vessels used 
analogue systems with no redundancy. Since then the dynamic posi- 
tioning (DP) system has developed and there are now requirements for 
redundancy, especially for high-operations inside the 500-meter zone of 
platforms. DP vessels allow for new types of operations in new areas 
where it is important to be able to relocate easily and quickly. A DP 
system is a system capable of controlling a set course, heading or posi- 
tion of a vessel by use of thrusters and propellers and reference systems 
[33]. DP is now used for a wide variety of operations, such as supply, 
drilling, shuttle tanker, flotel, construction and heavy-lift, pipe- and 
cable-laying, survey, anchor handling, diving and Remote Operated 
Vehicles (ROV), survey, dredging, cruise ship, etc. [10]. 

The risk associated with DP operations vary concerning the position 
excursion tolerance and their consequence potential [34]. To illustrate 
this some examples are provided in Table 1. Four types of DP operations 
are presented with the distance separating them from the installation: 


* Corresponding author. 
E-mail address: sandra.hogenboom@ntnu.no (S. Hogenboom). 


https: //doi.org/10.1016/j.ress.2020.107347 


floating production storage and offloading (FPSO) vessel and shuttle 
tanker (ST) offloading operations, flotel providing additional accom- 
modation for an oil platform, supply operations at an oil platform, anda 
mobile offshore drilling unit (MODU) operating on DP. The drilling 
operation’s condition differs from the other, because it does not include 
a collision object, and therefore no separation distance. However, the 
MODU is attached to the well with, amongst other things, a drill string 
and riser, the angle of the riser determines the excursion tolerance of the 
operation. The time available is gathered from previous studies, no in- 
formation was available for flotel and supply operations. Chen and Moan 
[5] found that at a separation distance of 80 meters ST operators have 53 
seconds to respond to a drive-off in the direction of the FPSO. Hogen- 
boom et al. [11] found that the reaction time between the first and 
highest alarm level is set to 60 seconds to allow personnel in the 
moonpool area to evacuate the area to avoid being hit by the drill string 
in case it get severed. 

As indicated in Table 1, distance and time available are linked. A 
study by Parhizkar et al. [22] found that time available has the greatest 
effect on collision probability. A combination of weather, thruster 
forces, and distance will determine how much time a DP operator (DPO) 
has to react to a loss of position. This requires that the operator is alert 
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Table 1 
Separation distance for several types of DP operations (* = no data available). 
DP operation FPSO-ST Flotel- Supply- Drilling 
Platform Platform 
Separation 80 m 60-70 m 20-30 m Not relevant 
distance 
Time 53s * = 60s 
available 
Excursion Hose Gangway Hose tension Riser angle 
tolerance tension and reach of dependent on 
crane water depth 





and vigilant and ready at any time to take over manually from the DP 
system and move the vessel to a safe location. Of course, there are safety 
margins in place to “buy” the operator more time to respond and in- 
crease the time available. For example, some operations are not allowed 
on the windward side of an installation to avoid a collision in case of a 
drift off. A drift-off means that there is insufficient thrust to maintain the 
target vessel position and as a result the vessel drifts away due to the 
environmental forces Chen et al. [35]. However, this is not helpful in a 
drive-off situation, where there is active thrust driving the vessel away 
from the target position [35] and potentially into the installation. All DP 
operations are inherently threatened by a loss of position [9]. 

Yet, the consequences of a loss of position can vary. Some position 
losses can lead to a collision, others to damage to subsea structures, or 
(oil) spills due to ruptured hoses. To avoid this from happening there are 
safety systems in place, nevertheless, the DPO is usually considered the 
last barrier of defense against a loss of position and in avoiding damages 
due to a loss of position [9]. 

A study from Chen and Moan [5] that identified measures to reduce 
recovery failure for FPSO-ST collision risk found that for some incident 
scenarios there was insufficient time for the operator to respond suc- 
cessfully to a loss of position. The study recommended to increase the 
time window for the operator to initiate a recovery action and to provide 
assistance to reduce the time required to initiate a recovery action. To 
achieve the first an increase in operating distance to the installation was 
proposed as well as a change to the setup of the thrusters. Furthermore, 
to reduce the reaction time of the operator Chen and Moan [5] proposed 
improved early detection, through preventing operator fatigue, inter- 
ference from other activities, and providing observation training. They 
also recommend quick decision-making, to improve this they recom- 
mend training, proceduralization and automation [5]. 

In another study by Chen, Moan and Vinnem [6] DPOs’ reaction 
times were observed in a simulator. In 59 simulator observations of 
drive-off scenarios for FPSO-ST operations they found that the mean 
reaction time is 81 seconds, of which 59 seconds are spent detecting the 
event, and 22 seconds deciding and executing the recovery actions. 
These reaction times indicate that there is insufficient time available for 
the DPO to recover from a full-head-on drive off and prevent a collision 
[6], unless the distance between the FPSO and ST is about 150 m. 

To illustrate how time is treated in the various risk assessments a case 
study was selected for this article. The Sjgborg accident [24] was chosen 
as a case study because it is a recent event that highlights the criticality 
of time. 

The Sjgborg supply vessel collided with the Statfjord A installation in 
Norway on 7 June 2019. In the early morning the supply vessel was 
transferring fresh water, diesel oil and deck cargo. A technical failure 
meant the load reduction mode was activated on the vessel, reducing 
power to all its thrusters to 10-15 per cent of the maximum. Power was 
lost to two of three bow thruster upon which the vessel lost heading and 
position and drifted against the installation. The Sjøborg suffered dam- 
ages to the mast and equipment above the bridge when they collided 
with the lifeboat station of the Statfjord A, and dents on the starboard aft 
side where it hit the drilling shaft of the installation. 

The Norwegian Petroleum Safety Authority (PSA) lounged an 
investigation and the data used in this article about the accident is 
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largely based on their accident investigation report [24]. 

The paper is structured as follows. An overview of how some of the 
risk analyses address the time elements is presented in Section 2. The 
methods and analyses used in the paper are introduced in Section 3 
together with the results of the various analyses. Section 4 summarizes 
and discusses the results and presents the recommendations based on the 
findings of the study. Section 4 also outlines the limitations of the study 
and the need for future work. Details of the methodology are presented 
in Section 4. Finally, the conclusions and the contributions of this study 
are presented in Section 5. 


2. Temporal Factors in Risk Analyses 
2.1. Quantitative Risk Analysis (QRA) of Collision Risk 


Collision risk between vessels and installations has been quantified 
by estimates of frequency for collision and energy involved in the 
collision. The models are based on the frequency of failure modes that 
can lead to collision scenarios and by modeling the resulting course of 
events. The preferred modeling method varies; commonly fault trees or 
event trees are used. Historical frequency data is used as input for these 
models, taking into account operational conditions [16]. The risk 
models often have flexibility to include human reliability assessments 
for safety critical tasks [18,26], however, they are not ordinarily 
included. 

Traditionally, the levels of complexity in the models have been kept 
low to due to low availability of adequate quantitative input estimates. 
Furthermore, the technical and operational conditions and barriers are 
taken into account, but they are not able to take a holistic view of the 
risk picture, nor are they capable of modeling the interaction effects 
[16]. 


2.2. Human Reliability Analysis (HRA) 


The HRA methods that are considered for this study were selected 
from the HSE (Health and Safety Executive) review of HRA methods [1]. 
The requirement for the method was that it is publically available and 
can potentially be applied to DP operations and does not require expert 
judgement. Based on these criteria the following methods were 
considered: 


e THERP (Technique for Human Error Rate Prediction) 

e HEART (Human Error Assessment and Reduction Technique) 

e SPAR-H (Simplified Plant Analysis Risk Human Reliability 
Assessment) 

e ATHEANA (A Technique for Human Error Analysis) 

e CREAM (Cognitive Reliability and Error Analysis Method) 


In 2017, a research and development project funded by the Norwe- 
gian Research Council has developed the Petro-HRA method and 
guideline [3]. The method was specifically developed to analyze the 
human reliability of safety critical tasks in the offshore industry. Since it 
did not exist prior to the United Kingdom HSE review of HRA methods 
was concluded in 2009, it was not part of that study. However, 
considering the relevance to this topic and it meeting the requirements 
set for the selection of HRA methods, it is included in this study. 

The selected HRA methods were reviewed based on their inclusion of 
performance shaping factors (PSFs) addressing time available and 
perceived time available. The only methods that described both actual 
and perceived time available are the SPAR-H and Petro-HRA method. A 
description of how they include time is presented below, an overview of 
the PSFs and associated multipliers are presented in Table 2 and Table 3. 


2.2.1. Simplified Plant Analysis Risk Human Reliability Assessment (SPAR- 
H) 
The SPAR-H addresses time mainly in the performance shaping 
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Table 2 


PSFs related to time available/required per selected HRA method. 





Method PSFs related 
to time 


available 


Multiplier 


Level 


Level description 





Available 
time 


SPAR-H HEP = 1 


10 


0.1 


0.01 


Petro- Time 
HRA 


(HEP) = 1 


50 


10 


0.1 


Inadequate time 


Barely Adequate 
Time 


Nominal Time 


Extra Time 


Expansive Time 


Extremely high 
negative effect 
on performance 


Very high 
negative effect 
on performance 


Moderate 
negative effect 
on performance 


Nominal effect 
on performance 


The time margin is 
negative because less 
time is available than 
is required. 

The time margin is 
zero because the time 
available equals the 
time required. 

There is a small time 
margin because the 
time available is 
slightly greater than 
the time required. 
The time margin is 
greater than zero but 
less than the time 
required; the time 
available is greater 
than the time 
required. 

The time margin 
exceeds the time 
required; the time 
available is much 
greater than the time 
required. 

Operator(s) does not 
have enough time to 
successfully complete 
the task. 

The available time is 








the minimum time 
required to perform 
the task or close to the 
minimum time to 
perform the task. In 
this situation the 
operator(s) has very 
high time pressure or 
they have to speed up 
very much to do the 
task in time. 

The operator(s) has 
limited time to 
perform the task. 
However, there is 
more time available 
than the minimum 
time required. In this 
situation the operator 
(s) has high time 
pressure, or they have 
to speed up much to 
do the task in time. 
There is enough time 
to do the task. The 
operator(s) only has a 
low degree of time 
pressure, or they do 
not need to speed up 
much to do the task. 
When comparing the 
available time to the 
required time the 
analyst concludes 
that time would 
neither have a 
negative nor a 
positive effect on 
performance. 

There is extra time to 
perform the task. In 


Reliability Engineering and System Safety 207 (2021) 107347 


Table 2 (continued) 





Method PSFs related 
to time 


available 


Multiplier Level Level description 


this situation the 
operator(s) has 
considerable extra 
time to perform the 
task and there is no 
time pressure or need 
to speed up to do the 
task in time. 


Moderate 
positive effect 
on performance 


PSF is not relevant for 
this task or scenario. 


1 Not applicable 





factor (PSF) available time. The PSF looks at the available time relative 
to the time that is required to complete the task, so there could be an 
extra time margin, see Table 2 for a description of the levels and mul- 
tipliers. The method uses different time PSF descriptions for diagnosis 
and action events. Diagnosis events often have a wider time range in 
which they can be performed. It is presumed that a decision can be made 
quickly, if necessary. However, when determining the nominal time 
needed to make a decision, this should be based on systematic and 
thoughtful thinking and individual differences will have to be averaged 
out [30]. The available time PSF does not consider aspects of perceived 
time pressure by the operator. Actual and perceived time pressure 
induce stress, and are therefore be assessed under the stress/stressor PSF 
[30]. 


2.2.2. Petro-HRA 

The method is based on the SPAR-H method, but it comes with an 
extensive guideline describing not only how to conduct a HRA from start 
to finish, but also how to integrate the HRA with the QRA process [3]. 
The Petro-HRA method distinguishes between objective time available 
and the subjective experience of time available. Objective time available 
is treated under the PSF: time, and the subjective experience of time 
available under the PSF: training/experience [3]. 


2.3. Dynamic risk assessment 


Dynamic risk models have been developed to analyze operational 
risk. Dynamic risk assessments updates risk estimates based on perfor- 
mance of the control system, safety barriers, inspection and mainte- 
nance activities, human factors, and procedures. Almost all qualitative 
and quantitative risk analysis methods involve hazard identification, 
risk assessment, and evaluation of control measures [19]. Dynamic risk 
assessment adds a phase of monitoring and assessing abnormal condi- 
tions to revise the estimated risk. This largely describes the role of the 
DPO, where the DP operator is monitoring the DP systems’ performance 
and on the look-out for abnormalities or failures [9]. There have been 
several contributions in recent years that propose and promote dynamic 
risk assessment methods [14,15,21]. 

The integration of dynamic risk assessment and management can 
support the decision-making process by providing a real-time risk esti- 
mate [15]. Furthermore, appropriate model selection and sensitivity 
investigation techniques are required for decision support [7]. Addi- 
tionally, advanced data acquisition systems for providing real-time 
input to quantitative risk management are needed. Furthermore, 
model sensitivity to uncertain input data needs to be considered. Vin- 
nem et al. [29] proposed an online risk management framework for DP 
operations, that takes these concerns into consideration. 

However, in most of these studies, response time is not considered in 
the dynamic risk model or decision-making model. Nevertheless, time is 
a critical factor in nearly all loss of position incidents, what is more the 
decision-making process takes time. Time required to handling a loss of 
position scenario and the consequences of each decision scenario are not 
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Table 3 
PSFs related to perceived time available/required per selected HRA method. 
Method PSFs related Multiplier Level Level description 
to perceived 
time 
available 
SPAR-H _ Stress/ 5 Extreme A level of disruptive 
stressor stress in which the 
performance of most 
people will 
deteriorate 


drastically, the so- 
called stress 
performance cliff. 
This is likely to occur 
when the onset of the 
stressor is sudden 
and the stressing 
situation persists for 
long periods. This 
level is also 
associated with the 
feeling of threat to 
one’s physical well- 
being or to one’s self- 
esteem or 
professional status, 
and is considered to 
be qualitatively 
different from lesser 
degrees of high stress 
(e.g., catastrophic 
failures can result in 
extreme stress for 
operating personnel 
because of the 
potential for 
radioactive release). 

2 High A level of stress 
higher than the 
nominal level (e.g., 
instruments with 
anomalous readings 
or unexpected 
alarms; loud, 
continuous noise 
impacts ability to 
focus attention on the 
task; the 
consequences of the 
task represent a 
threat to plant 
safety). This level 
basically 
encompasses any 
situation where there 
is a perceived threat 
that can result in 
significant health or 
financial 
consequences (such 
as loss of the plant). 

1 Nominal The level of stress 
that is conducive to 
good performance. 
Also, this level 
should be assigned 
whenever stress is 
judged to not be a 
performance driver. 

1 Insufficient If you do not have 

Information sufficient 

information to 
determine if this is a 
performance driver 
or to choose among 
the other 
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Table 3 (continued) 





Method PSFs related Multiplier Level Level description 
to perceived 
time 
available 





alternatives, assign 
this PSF level. Note 
that the multiplier is 
the same as for 


Nominal. 
Petro- Training/ (HEP) =1 Extremely high There is a strongly 
HRA experience negative effect learned knowledge 


on performance or skill (either from 
experience or 
training) that is a 
mismatch with the 
correct response to 
this task step in this 
scenario. An example 
could be that the 
operator(s) during 
experience or 
training has 
developed a strong 
mindset about the 
development of a 
scenario and actions 
that do not fit with 
the scenario in 
question and 
therefore cannot be 
expected to perform 
the task correctly. 

50 Very high The operator(s) does 

negative effect not have any 

on performance experience or 
training and does not 
at all have the 
necessary knowledge 
and skills to be 
prepared for and to 
do the task(s) in this 


scenario. 
15 Moderate The operator(s) has 
negative effect low experience or 


on performance training and does not 
have the necessary 
complete knowledge 
and experience to be 
prepared for and to 
do the task(s) in this 


scenario. 
5 Low negative The operator(s) has 
effect on experience or 
performance training but this is 


lacking, and they do 
not have the 
complete knowledge 
and experience to be 
fully prepared for 
and to do the task(s) 
in this scenario. 

1 Nominal effect The operator(s) has 

on performance experience and/or 

training on the task 
(s) in this scenario 
and has the necessary 
knowledge and 
experience to be 
prepared for and to 
do the task(s) in this 
scenario. 
Experience/Training 
does not reduce 
performance nor to a 
large degree improve 
performance. 

0.1 


(continued on next page) 
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Table 3 (continued) 








Method PSFs related Multiplier Level Level description 
to perceived 
time 
available 
Moderate The operator(s) has 
positive effect extensive experience 
on performance and/or training on 
this task and the 
operator(s) has 
extensive knowledge 
and experience to be 
prepared for and to 
do the task(s) in this 
scenario. 
1 Not applicable PSF is not relevant 


for this task or 
scenario. 





independent. Different combinations of factors will affect the decision 
scenarios and will result in different required time and consequences of 
the decision. This needs to be addressed in dynamic decision-making 
models and they need to be risk based. In addition, even though many 
contributions have been proposed to risk-based decision-making 
models, the dynamic dependency of the response is barely included. The 
decision-making process is highly time dependent and changes over 
time according to system operational and environmental conditions. 
Moreover, system operation is dynamically affected by decisions. In 
order to establish an accurate decision-making model these interactions 
should be considered as well. The interactions of the system and the 
decision-making process in a dynamic environment is considered in a 
study carried out by Chang and Mosleh [4]. 


7 I E- 
(Power system ) 


y 
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Parhizkar et al. [23] have developed a decision-making safety 
assessment framework and human response time (HRT) model that 
consider the dynamic nature of decision scenarios and their in- 
terdependencies. In the proposed framework, the scenarios’ effective- 
ness are calculated as a function of the previous events and occurrence 
time [28]. As a result, in addition to the dynamic of the system, a de- 
cision scenario depends on the dynamic nature of the decision-making 
process. Event sequence diagrams (ESD) are used to predict the dy- 
namic safety level of incidents in complex systems [31]. The ESD present 
the logical relations among events in the system. The framework utilizes 
ESD in combination with fault trees and Bayesian networks (BNs) to 
estimate the occurrence frequency or probability of the system hazard- 
ous events and consequences, and to address the root causes to system 
hazardous events. 


2.3.1. Dynamic Simulation 

As mentioned above time available is critical in determining the 
probability for success of avoiding a potential collision or other negative 
consequences of a loss of position. A dynamic simulator can calculate the 
remaining available time, based on operation and environmental con- 
ditions [25]. The simulator gathers input from DP system components’ 
status (engines, thrusters, control system, etc.), environmental condi- 
tions (wind force and direction, wave force and direction, etc.), and 
vessel and DP type [25]. For instance, some DP operations utilize a 
specific operating guideline (SOG) that predefines the excursion limits 
into yellow and red alarms [9]. The remaining available time for the DP 
operation is then equal to the minimum required time that the vessel 
reaches the outer “red” limit for position excursion. Most supply vessel 
operations on the Norwegian Continental Shelf (NCS) do not have a 
SOG, and the time available needs to be calculated for the 


ein eae a S 
Control system Propulsion system 
(Control system) Propulsion system > 





Dynamic simulator 
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1500 2000 2500 3000 


1500 2000 2500 3000 


Fig. 1. Example of output from the dynamic simulator (adapted from [22]). 
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“point-of-no-return”. The point-of-no-return refers to the time until the 
vessel reaches a position from which a collision becomes inevitable due 
to remaining time until collision, available thruster and environmental 
forces, human and technical reaction times. 

Fig. 1 depicts an example of the output from the dynamic simulator. 
The dynamic simulator has the potential to display the displacement of 
the vessel over time based on real-time input data. The objective of 
utilizing the dynamic simulator in such a capacity would be to give 
decision support to the DPO. As can be seen, the operational and envi- 
ronmental conditions of the DP system serve as input to the dynamic 
simulator, including wave and current data, as well as status and char- 
acteristics of the power system, control system and propulsion system 
[32]. The dynamic simulator then calculates the position and velocity of 
the vessel over time. In the example portrayed in Fig. 1, the DP vessel is 
20 meters away from a red limit. The red-dashed line symbolizes that 
limit, and time available until passing the red limit is estimated to be 900 
seconds. 


3. Method and Results 
3.1. STEP timeline analysis of the Sjgborg accidents 


The STEP (sequential timed events plotting) method is used to 
analyze the timeline of the Sjøborg accident. The STEP method is 
developed by Hendrick and Benner [8]. STEP is a systematic process for 
accident investigation based on multi-linear event sequences, and a 
process view of the accident events. 

The STEP diagram presents the timeline of events, each row repre- 
sents a different actor that plays a role in the accident sequence. The 
actors can either be human or an controller. The columns represent the 
timeline. The time scale does not have to be on a linear scale. The main 
point of the timeline is to present the order of events and how they 
evolved relatively in terms of time. The flow of events indicated by the 
arrows, illustrate the affect of one actor’s actions on other actors’ ac- 
tions. There are two specific types of events: the initiating event, the 
event identified as the upset to normal operations and that requires a 








Positioned 5-6 meters 
aft of and 2 meters 
away from Statfjord A 









Vessel 
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response to avoid undesirable outcomes, and the end event, the events 
that presents the end of the accident sequence either the consequence (e. 
g. collision) or return to safe state (e.g. arrival at safe location). 

To analyze the Sjøborg accident the accident investigation report 
from the Petroleum Safety Authority [24] was used as input. 


3.1.1. Results 

The Sjøborg accident was analyzed with a STEP worksheet (see 
Fig. 2). The timeline is in minutes and takes the loss of position as T = 
0 (corresponding to actual time 01:50 — seconds not available from the 
report, see below). The results of the analysis are presented in Table 4. 
The accidents is broken down into an initiating event, contributing 
events, and the end event. The relevant actors have been identified for 
each event. The time of the events can be found in the last column in the 
Table. 


3.2. Time required 


In order to establish an estimate for time required a task analysis and 
timeline analysis were performed. A hierarchical task analysis (HTA; 
[27]) was developed based on the Sjgborg accident. The HTA analyzed 
two potential scenarios: the DPO detects the first alarms and decides to 
stop the operation, and the DPO notices the drift-on and tries to get toa 
safe location. The HTA was then transferred into a tabular task analysis 
(TTA; [27]) to gather information on the critical timeline of the sce- 
narios and provide structured estimates for time required for the two 
scenarios. The HTA is based on a cognitive model of detect, diagnose, 
decide, and execute/act (see Fig. 3). 

The timeline analysis requires a complete task analysis, information 
gathered from a site visit, input from experienced operative personnel, 
data from relevant drills/trainings, incident reports and investigations 
[3]. 

According to Bye et al. [3] the timeline analysis should consist of the 
following seven steps: 


Timeline 







Loses heading and Aa 

position, two of Hits lifeboat Hits drilling 
three bow thrusters station with shaftsouth 
dropped out, drifting > mast with 
towards Statfjord A V starboard 






Clears lifeboat 
statuion and moves 
north-west in a drift 

off position 












Presents alarm: 
"FAULT IN B.O.S.S. 
SYSTEM PS" and 
"FAULT IN B.O.S.S. 

SYSTEM SB" 














»| Presents returning alarms at regular interval: "HEADING 
OUT OF LIMITS", "THRUSTER PREDICTION ERROR", 
"CONSEQUENCE ANALYSIS BATTERY BTY TIME ALARM" 











Presents alarms: "BT1 
AUTOSTOP" "BT3 
AUTOSTOP" 














Perceives alarms as | 
_non-critical 








Engineer 








Y 








First officer/DPO alarms 














Perceives alarms as not unusual and acknowledges 


Attempts to switch 
DP to manual 
positioning 


Requests master to 
come to bridge 














Moves vessel six 
meters forward for 
better access to deck 





DP system 








Master 














Deck hands 











Presents alarms: 
"TUNNEL BOW 1 NOT 
READY" "AZIMUTH 
BOW 3 NOT READY" 











Switches from DP to 

Takes over on bridge | manual positioning, 

moves vessel forward 

Instructs deck hands 

to disconnect hose 
and ropes 






















Disconnecting hose 
and ropes, gets 
>| knocked over by 
ruptured hose, avoid 
being hit by falling 
debris from the mast 





Fig. 2. STEP analysis of the Sjøborg accident based on events described in the investigation report from the PSA [24]. 
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Table 4 
Results of the Sjgborg accident analysis based on the investigation report [24]. 
Event Actor Event description Time of 
sequence event (hh: 
mm) 

Context Vessel Positioned 5-6 meters aft ofand2 00:24 
meters away from Statfjord A 

Initiating IAS (Integrated Presents alarm: "FAULT IN B.O.S. 01:04 

event Automation S. SYSTEM PS" and "FAULT IN B. 
System) O.S.S. SYSTEM SB" 

1 Engineer Perceives alarms as non-critical 01:04 

2-A IAS Presents returning alarms at 01:14- 
regular interval: "HEADING OUT 01:49 
OF LIMITS", "THRUSTER 
PREDICTION ERROR", 
"CONSEQUENCE ANALYSIS 
BATTERY BTY TIME ALARM" 

2-B DPO/first officer Perceives alarms as not unusual 01:14- 
and acknowledges alarms. 01:49 

3-A DPO/first officer Moves vessel six meters forward 01:49 
for better access to deck cargo 

3-B IAS Presents alarms: "BT1 01:49 
AUTOSTOP" "BT3 AUTOSTOP" 

3-C DP SYSTEM Presents alarms: "TUNNEL BOW 1 01:49 
NOT READY" "AZIMUTH BOW 3 
NOT READY" 

4 Vesse Loses heading and position, twoof 01:50 
three bow thrusters dropped out, 
drifting towards Statfjord A 

5 DPO/first officer Attempts to switch DP to manual 01:50 
positioning 

6-A DPO/first officer Requests master to come to bridge 01:51 

6-B Vesse Hits lifeboat station with mast 01:51 

7-A Master Takes over on bridge 01:52 

7-B Vesse: Hits drilling shaft south with 01:52 
starboard side aft 

8 Master Switches from DP to manual 01:53 
positioning, moves vessel forward 

9 Master Instructs deck hands to disconnect 01:53 
hose and ropes 

10-A Deck hands Disconnecting hose and ropes, 01:54 
gets knocked over by ruptured 
hose, avoid being hit by falling 
debris from the mast 

10-B Vessel Diesel hose ruptures 01:54 

End event Vessel Clears lifeboat station and moves 01:55 
north-west in a drift off position 

Detect event 
Diagnose event 
Task goal 














Decide on actions 








Execute actions 











Fig. 3. Basic cognitive model of operator tasks. 


1 List task steps on the first level in the task analysis (i.e., level 1.0) 
vertically together with who is responsible for carrying out each task. 

2 Draw a timeline horizontally using a scale suitable for the duration of 
the task and scenario being analyzed. Time = 0 is defined by the 
physical initiation of the event. 

3 Include the next point in time, which will be the first cue presented to 
operators indicating the initiating event. This is typically an alarm, a 
visual observation of the event, or a physical sensation. 
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4 Discuss the duration of each following task step using the details 
captured in the task analysis. 

5 Time estimates are recorded in a table 

6 Conclude when the last task required is successfully accomplished. 
The duration from Time = 0 to Time = task completion equals the 
estimated time required. 

7 For completeness, mark the time when the effect of the task is 
evident 


The HTA was verified during three interviews with male interview 
subjects who have on average 20 years’ experience with supply opera- 
tions on the NCS. No identifying information about the interview subject 
was recorded. After the HTA was verified, the TTA was completed and 
information for the timeline analysis was gathered. The interviews las- 
ted 1,5 hours each and took place via video conference were conducted 
June-August 2020. 


3.2.1. Results time required 

Time required is established through a breakdown of two scenarios: 
early warning intervention and recovery of situation. The early warning 
intervention starts with the same initiating event as the Sjøborg acci- 
dent, but the DPO then decides to abort the operation based on the first 
alarms coming in on the IAS (Integrated Automation System) and move 
the vessel to a safe location. The HTA of this scenario can be found in 
Fig. 4. A further analysis of these tasks can be found on the TTA in 
Table 5. 

The second scenario, the recovery actions, starts with the initiating 
event of the alarms of the two thrusters not being ready, the DPO then 
recognizes the situation and immediately decides to switch the DP sys- 
tems to manual and move toa safe location. The HTA of this scenario can 
be found in Fig. 5. A further analysis of these tasks can be found on the 
TTA in Table 6. 

The three interview subjects all agreed on the identified tasks and 
provided similar time estimates. A method for aggregating expert 
opinions into a group fuzzy consensus opinion [13] was considered. 
However, due to the high level of consensus on the time estimates (66% 
were identical), the median of the estimates was chosen for further 
analysis. The estimates from each interview are provided in Table 5 and 
Table 6. 

Based on the tasks identified as the critical path a timeline was made 
for the first scenario (see Fig. 6). The time estimates are based on the 
assumption that all involved personnel are alert and available. Median 
time estimates from the interviews were used for the timeline as the 
estimates were very similar. As mentioned in Table 5, the communica- 
tion with the engineer (task 4 in Fig. 6) about the problem will take 
longer if the electrician needs to be called, but the scenarios assume that 
the engineer communicates to the bridge that the cause of the problem is 
unknown. Additionally, the communication with the crane driver esti- 
mate is also optimistic (task 7 in Fig. 6). Communicating the information 
itself should not take longer than a few seconds, but this is assuming that 
the crane driver answers the call immediately, which is not always the 
case due to the traffic on the channel. In Fig. 6, the time estimate for the 
entire scenario starting with the detection of the alarms and ending in 
arrival at the safe location (100 meters forward from the installation in a 
drift-off position) is around 260 seconds. 

A separate timeline was made for the second scenario (see Fig. 7), 
which is based on the critical path of the identified recovery actions (see 
Table 5). This scenario starts with the vessel losing thruster capacity and 
starting to lose its position and ends when the vessel has arrived at a safe 
location, which is also assumed a 100 meters forward from the instal- 
lation in a drift-off position just like the previous scenario. The time 
estimates are based on the assumption that the DPO is alert and aware of 
the operating situation. Median time estimates from the interviews were 
used for the timeline as the estimates were very similar. The timeline 
shows that upon receiving the alarms for lost thrusters the operator 
discusses and diagnoses the situation with DPO 2 and then decides that 
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1.1 Detect alarms on IAS 
screen: “FAULT IN B.O.S.S 
SYSTEM PS” and “FAULT 


IN B.O.S.S SYSTEM SB” f ) 
bess 





1.2 Move vessel away 
from installation based 
on available range 





2.1 Discuss with other 
DPO on bridge 


2.2.1 Gather information 


on type of failure 


2.2.2 Gather information 
on possibility to fix failure 


2.2.3 Gather information 


on duration of failure 


2.2.4 Gather information 
on how the failure will 


'— 2.2 Call the engineer on duty 


effect performance 


4.1.2.1 Inform 
about stop of 
offloading/loading 


4.1.2.2 Inform about move 
to safe location 


4.1.2.3 Provide time 
estimate for repairs 


2.3 Call the captain 





| 2.4 Verify DP system is | 
| otherwise running asit ~ 
| _ should 


2.5 Verify position 
keeping capabilities -~ 
unaffected 


3.1 Decide to stop 
loading/offloading 


3.2 Decide to 
disconnect hoses 


3.3 Decide to move to a 
safe location to fix the 
problem 


4.1.1 Inform about failure 


4.1 Inform installation 
4.1.2 Inform about plan 


4.2.1 Inform about failure 
4.2 Inform engineer 


4.2.2 Inform about plan pump room 


4.3.1 Inform about failure 





4.3.2 Inform about plan 


4.4.1 Inform about failure 


4.4.2 Inform about plan SAE i 


4.5 Secure load | 


| 4.6 Disconnect hoses 


4.7 Retrieve hoses } 


4.8 Verify hoses 
disconnected 


4.9 Confirm hoses are 
disconnected and 
retrieved 


4.10 Move out of 
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H 2. Diagnose m 


H 3. Decide 


Prevent loss of position of 
| supply vessel whilst offloading 





Fig. 4. Hierarchical Task Analysis (HTA) of the early warning scenario based on events of the Sjøborg accident. 
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Table 5 
Tabular Task Analysis (TTA) of the early warning scenario based on events of the Sjgborg accident data obtained and verified in interview. * CP = critical path. 
# Task Responsible Cue Order Simultaneously Time estimate per Comment 
of CP* with interview (in 
seconds) 
1 2 3 

1. Detect 

1.1. Detect alarms on IAS DPO1 Visual and auditive 1 1 1 1 Presented on other screen, possible 
screen: “FAULT IN B.O. alarm. DPO does not monitor this actively, 
S.S SYSTEM PS” “FAULT and will be informed about this by 
IN B.O.S.S SYSTEM SB” engine room. This scenario assumes 

the DPO detects the alarm. 

1.2. Change heading of DPO1 Proximity to 2 Task 2.1 40 40 40 Size of move depends on slack in the 
vessel away from installation and hose and crane operations. Speed 
installation based on potential for escalation also dependent on weather. This 
available range of hoses of situation. would happen after you find out the 

meaning and consequences of the 
alarms. 

2. Diagnose 

2.1. Discuss with other DPO DPO1 and DPO2, Task 1.1. 3 Task 1.2 0 5 15 Discuss potential loss of redundancy 
on bridge highest rank on and escalation of situation. 

bridge if Discussion is held with relevant 

available personnel on the bridge, but as a 
minimum between DPO 1 and DPO 
2. 

2.2. Call the engineer on DPO2 The engineer does not 4 10 15 30 This will take a bit longer, the DPO 

duty know the cause of the will request the engineer to consult 
error. with the electrician and find out of 
problem. If this happens during the 
night shift, the electrician will be in 
bed and needs to come down first. 
Uncertain how much time it will take 
for engineer to come to phone. 

2.2.1. Gather information on DPO2 and 
type of failure engineer 

2.2.2. Gather information on DPO2 and 
possibility to fix failure engineer 

2:2:3. Gather information on DPO2 and 
duration of failure engineer 

2.2.4. Gather information on DPO2 and 
how the failure will engineer 
effect performance 

2.3 Call Captain DPO2 5 Call to inform about the failure and 

the unknown cause of the failure. 
The captain will come to the bridge. 

2.4. Verify DP system is DPO1 Position plot, alarms, 
otherwise running as it thruster and power 
should use, reference systems, 

consequence analysis. 

2.5. Verify position keeping DPO1 Position plot, alarms, 
capabilities unaffected thruster and power 

use, reference systems, 
consequence analysis. 

3. Decide Highest rank on Task 2.2. 5 Task 2.2. 1 15 15 Time is dependent on if the DPOs 

bridge agree, or not. 

3.1. Decide to stop loading/ Highest rank on Task 2.2. 
offloading bridge 

3.2. Decide to disconnect Highest rank on Task 2.2. No problems with position keeping 
hoses bridge so the DPOs will decide to take the 

time to disconnect. 

3.3. Decide to move to a safe Highest rank on Task 2.2. Safe location is preferred to be 
location to fix the bridge within the 500 meter zone if the 
problem engineer and DPO think the problem 

can be repaired locally and relatively 
quick, to avoid reentering procedure. 
The safe location is always in a drift 
off position relative to the 
installation and other vessels/objects 
on the field, and at least a 100 meters 
away from the installation and other 
vessels/objects on the field (if 
relevant). 

4. Act There is no real hurry, the vessel is 


still capable of position keeping, but 
the DPOs do not know if this will 
change, therefore the operation will 
be aborted safely and efficiently. 


(continued on next page) 
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# Task Responsible Cue Order Simultaneously Time estimate per Comment 

of CP* with interview (in 
seconds) 
1 2 3 
4.1. Inform installation CCR DPO2 Task 2.2. and Task 3. 8 Task 4.6 15 5 5 Informed last when the abled bodies 
on deck and crane driver have 
started the disconnect. 
4.1.1. Inform about failure DPO2 Task 2.2. and Task 3. 
4.1.2. Inform about plan DPO2 Task 2.2. and Task 3. 
4.1.2.1. Inform about the stop of | DPO2 Task 2.2. and Task 3. 
offloading/loading 

4.1.2.2. Inform about the move DPO2 Task 2.2. and Task 3. 
to safe location 

4.1.2.3. Provide time estimate DPO2 Task 2.2. and Task 3. 
for repairs 

4.2. Inform engineer pump DPO2 Task 2.2. and Task 3. 5 Engineer is listening on radio. 

room 

4.2.1. Inform about failure DPO2 Task 2.2. and Task 3. 

4.2.2. Inform about plan DPO2 Task 2.2. and Task 3. 

4.3. Inform deck DPO2 Task 2.2. and Task 3. 7 5 5 5 On same frequency as crane driver 
and bridge. 

4.3.1. Inform about failure DPO2 Task 2.2. and Task 3. 

4.3.2. Inform about plan DPO2 Task 2.2. and Task 3. 

4.4. Inform crane DPO2 Task 2.2. and Task 3. 6 5 5 This will take a bit longer, because 
the crane driver can be difficult to 
reach on radio. Crane operation will 
take longest therefore informed first. 

4.4.1. Inform about failure DPO2 Task 2.2. and Task 3. 

4.4.2. Inform about plan DPO2 Task 2.2. and Task 3. 

4.5. Secure load Deck and crane Task 4.3. and Task 4.4. 

driver 

4.6. Disconnect hoses Deck Task 4.3. 9 20 20 30 Time required is dependent on the 
location of the crane. For this 
scenario, it is assumed that the crane 
is positioned over the deck of the 
supply vessel. 

4.7. Retrieve hoses Deck and crane Task 4.3. and Task 4.4. 10 15 30 30 

driver 
4.8. Verify hoses Deck Task 4.2. 
disconnected 
4.9. Confirm hoses DPO1 Visually out window 11 1 1 1 
disconnected and being and on CCTV. 
retrieved 
4.10. Move out 100-meter DPO1 Task 4.9. 12 120 120 120 Use joystick to move out. When ina 


forward into a drift-off 
position 


drift-on position it is not allowed to 
go from DP to manual within two 
ship lengths of installation, for a drift 
off position, this limit is one ship 
length. The Sjgborg was in breach 
with this limit when the alarms were 
received. 





they need to move immediately, after which DPO 1 changes the DP 
system to manual mode and tries to move to a safe location with the 
remaining thruster capacity. The time estimate of the move to the safe 
location does not reflect the environmental forces working against the 
vessel and the lack of thruster capacity per se. This would slow the move 
down. However, the most important goal is to avoid collision and move 
away from the installation. At this point of the scenario the duration is of 
the task is less relevant. 


3.3. Perceived time available and perceived time required 


Perceived time available and perceived time required estimates were 
obtained with an electronic questionnaire distributed among DPOs with 
supply vessel experience. The survey was distributed via a survey 
monkey website link and was completely anonymous. The sample of 88 
participants had the following characteristics: age: 22 reported between 
25-34 and 31 between 35-44, 24 reported between 45-54, and 11 re- 
ported between 55-64. On gender: 87 reported male, one was not 
comfortable reporting gender. On position: 30 reported DPO, 28 re- 
ported Chief Officer, 26 reported Captain, 3 Marine Traffic Controller 
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and one person failed to state current position. On years of experience as 
DPO (or higher) on a supply vessel: M = 12 (SD= 7; N=87) years, na- 
tionality: 74 Norwegian, 11 Swedish and 3 Finnish. 

The participants were provided with the following scenario 
description: 

“The scenario is based on the Sjgborg incident that took place at the 
Statfjord A platform June 2019. A description of the scenario is presented 
below, we ask that you answer the questions solely based on the information 
provided below and that you do not consider other knowledge you might 
have about the incident. 

Fresh water, diesel oil and deck cargo were being transferred from a 
supply vessel to a platform in the North Sea. The platform is a production and 
drilling facility with three concrete shafts (see Figure). The Supply vessel has 
an equipment class 2 DP system, the vessel is 86 meters long and 19.6 meters 
broad, with a specified displacement of about 7 300 tonnes at that time. The 
supply vessel has a battery system was installed on the main deck. 

The supply vessel was in position on the southern side to discharge deck 
and bulk cargoes. The vessel lay on the windward (weather) side, with its bow 
pointing west. The weather was given as 11 meters/second of wind with a 
direction of about 210 degrees and a significant wave height (Hs) of 1.4 
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1.1 IAS alarm from 
thruster system: “BT1 
AUTOSTOP", DP alarm: 
“TUNNEL BOW 1 NOT 
READY". 

IAS alarm from thruster 
system: "BT3 
AUTOSTOP” DP alarm: 
“AZIMUTH BOW 3 NOT 
READY". 


.2 Detect consequence alarm | 


1.3 Detect loss of 
heading 


1.4 Detect loss of 
position 





2.1 Determine that a 
drift-on is occurring 


2.2.1 Remember operating 
on windward side 


2.2.2 Recognize 
insufficient power to 
maintain position and 
heading 


2.2 Determine that 
vessel is on collision 
course 


3.2 Decide to move out 


4.1 Change to manual 
on DP console 


4.2 Direct thrusters and 
move vessel away from 
installation 


4.3 Communicate with 
deck, pump room, 
installation, crane 


Fig. 5. Hierarchical Task Analysis (HTA) of recovery scenario based on events of the Sjøborg accident. 


meters. The power supply system was configured with one generator on the 

port main switchboard segment and the battery system on the starboard side, 

while the isolator switch between the switchboard segments was in the closed 

position. A technical fault meant the load reduction mode was activated on 

the vessel, reducing power to all its thrusters to 10-15 per cent of the 

maximum. At about 01.50, power was lost to two of three bow-thrusters. 
Below a timeline of the events is presented. ” 





Event 

Vessel positioned 5-6 meters aft of and 2 meters away from the platform 
structure. That gave better access to deck cargo. 

Alarms on IAS screen: “FAULT IN B.O.S.S SYSTEM PS” and “FAULT IN B. 
O.S.S 

SYSTEM SB”. 

Several DP alarms at regular intervals: 

“HEADING OUT OF LIMITS” 

“THRUSTER PREDICTION ERROR” 

“CONSEQUENCE ANALYSIS BATTERY BTY TIME ALARM” 

DP system change to move vessel 6 meters forward for access to deck cargo. 
IAS alarm from thruster system: “BT1 AUTOSTOP”, DP alarm: “TUNNEL 
BOW 1 

NOT READY”. 

IAS alarm from thruster system: “BT3 AUTOSTOP” DP alarm: “AZIMUTH 
BOW 3 

NOT READY”. 


Time 
00.24 


01.04 


01.14- 
01.49 


01.49 
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They were asked to answer the following questions based on the 
scenario description only: 


e IF the supply vessel was to collide, how long time do you think it will 
take before the vessel reaches a point of no return or collides? ES- 
TIMATE IN SECONDS 

e IF the supply vessel was to collide, how much longer time do you 
think the DPO needs to avoid a collision? ESTIMATE IN SECONDS 

e Any comments? (OPEN TEXT) 


3.3.1. Results perceived time available 

Data analysis showed that out of the 88 participants there were 17 
outliers in the data spread over the perceived time available and time 
required. The outliers were removed from the data set, leaving 71 par- 
ticipants. The average perceived time available before the vessel would 
collide or cross a point of no return was M = 32 (SD = 24; N = 67). The 
dataset showed that the variance between the conditions was not 
significantly equal. Despite this, multivariate analyses were conducted 
including age, experience and position as independent variables and 
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Table 6 
Tabular Task Analysis (TTA) of recovery scenario based on events of the Sjgborg accident data obtained and verified in interview. * CP = critical path. 
# Task Responsible Cue Order Simultaneously Time estimate per Comment 
of CP* with interview (in 
seconds) 
1 2 3 
1. Detect 
1.1 IAS alarm: “BT1 AUTOSTOP”, DP DPO1 1 1 1 15 Call engine room, to find out what happened, 
alarm: “TUNNEL BOW 1 NOT READY” this can take additional time dependent on 
“BT3 AUTOSTOP” DP alarm: where the engineer is. Not obvious from HMI, 
“AZIMUTH BOW 3 NOT READY” will have to check status of thrusters to see they 
have actually stopped. 

1.2 Detect consequence alarm 

1.3 Detect loss of heading 

1.4 Detect loss of position 

2 Diagnose DPO1 Task 2 1 30 30 Discuss with DPO2, register that you lost 2 

1.1 thrusters and that the vessel will drift/is 
drifting. 

2.1 Determine that a drift-on is occurring 

2.2 Determine that vessel is on collision 

course 
2.2.1 | Remember operating on windward 
side 
2.2.2 Recognize insufficient power to 
maintain position and heading 
3 Decide DPO1 Task 3 1 1 Decision-making is considered a part of 
2 diagnosis time. Senior DPO will take the 
decisions, even when not on DP. 

3.1 Decide to disconnect Secondary concern (dangerous situation for 
deck hands, this worries the DPO and could 
affect the chosen solution) 

3.2 Decide to move out Primary concern, consider joystick/manual 
dependent on speed of drift off, if slow than 
joystick gives you more control, but less thrust. 
Manual you risk moving, at first, a bit closer to 
the installation before you can use full power 
away 

4 Act DPO1 Task 

3 
4.1 Change to manual on DP console 4 1 1 1 
4.2 Direct thrusters and move vessel away 5 120 120 120 
from installation 
4.3 Communicate with deck, pump room, DPO 2 Task 6 Task 4.1 and 4.2 120 120 120 _ This is as assumption, has to be simulated. 
installation, and crane. 3 Have to come to a drift-off position. This is a 
minimum 
0 10 20 30 40 50 60 70 80 90 100 110 2571 
l 
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Fig. 6. Timeline critical path tasks (see Table 5) time required scenario 1: early warning based on the Sjøborg accident. 


perceived time available and perceived time required as dependent 
variables. None of the effects were significant. 


3.3.2. Results perceived time required 

The average estimated time required for the DPO to avoid a collision 
was M = 21 (SD = 14; N = 66). 

A non-parametric test (Related Samples Wilcoxon Signed Rank Test) 
was performed to compare the means of perceived time available and 
perceived time required. The analysis showed that the means differ 
significantly p< 0.05. This means that the perceived time required was 
significantly less than perceived time available, which would result in 
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most participants estimating that they would be able to avoid a collision. 
3.4. Time required as human response time (HRT) model 


3.4.1. Detection and diagnosis 

Palmer, Horowitz, Torralba and Wolfe [20] conducted an experi- 
ment to capture response time distribution of visual tasks including 
feature searches, conjunction search, and spatial configuration search. 
In this research, the ability of four functions to capture the resulting 
empirical RT distribution is evaluated, and Gamma distribution is sug- 
gested as one of the functions that fits well to the data. The detection and 
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Fig. 7. Timeline critical path tasks (see Table 6) time required scenario 2: recovery based on the Sjgborg accident. 


diagnosis process in a DP operation is a combination of the tasks pre- 
sented in this research. Thus, gamma distribution is used to evaluate 
detection and diagnosis response time. 

The gamma distribution is a two-parameter category of continuous 
probability distributions. Eq. (1) presents a general form of the gamma 
distribution. The gamma distribution can be parameterized in terms of a 
scale parameter « and a shape parameter ß. 


E-a texp() 


(1) 

The shape and scale parameters are defined based on Chen, Moan 
and Vinnem [6]. In this research, experiment data on response time in 
DP systems are provided for FPSO-ST offloading operations. The HRT 
model in this paper uses the response time data to predict the response 
time for a drift-off on a shuttle vessel; it assumes that the response time is 
transferable since the operator is operating a nearly identical system. 
Limitations associated with this assumption are explained in the dis- 
cussion section of this paper. 

The response time data from the study from Chen, Moan and Vinnem 
[6] show that etection and diagnosis of driving off approximately takes 
59 seconds. Based on these data, the shape and scale parameters for 
detection response time are 2 and 400, respectively. Fig. 8 presents the 
shape of the gamma distribution with these parameters, and the mean 
value of 23.1 seconds. 

This graph presents the probability plot of the time required for 
detection. The values on the Y-axis are probability x 10e4, e.g., number 
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Fig. 8. The probability distribution of detection response time. 
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200 on Y-axis presents 200{10e4=0.02). 

Fig. 9 presents the probability distribution of diagnosis response time 
that follows the gamma distribution. As mentioned, the shape and scale 
parameters are defined based on data provided in Chen, Moan and 
Vinnem [6]. The shape and scale parameters of the distribution is equal 
to 1.5 and 850, and the mean value is 37.3 seconds. 

The probability distribution of detection and diagnosis is presented 
in Fig. 10. The mean value of the distribution is 60.1 seconds. Chen, 
Moan and Vinnem’s [6] study reported a mean value of 59 seconds for 
the decision-making and diagnosis time for handling a drive-off during a 
FPSO-ST offloading operation. 


3.4.2. Decision-making and execution 

The allocated time to the decision-making and execution process is 
stochastic. According to Ma, Holden and Serota [17], the best distribu- 
tion that fits human response time is the generalized inverse gamma 
distribution. In probability theory and statistics, the generalized inverse 
Gaussian distribution (GIG) is a three-parameter category of continuous 
probability distributions with probability density function. The general 
form of the GIG distribution is presented in Eq. (2). 


p/2 
(a/b) PV eo (artb/x)/2_ x>0, 


I) = oe (Jab) 


(2) 
Where, Kp is a modified Bessel function of the second kind, a > 0, b > 
0 and p are real parameters of the function. In this study, the allocated 
time to the decision-making and execution process is assumed to follow 
the GIG distribution. 
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Fig. 9. The probability distribution of diagnosis response time. 
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Fig. 10. The probability distribution of detection and diagnosis response time. 
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Fig. 11. The probability distribution of decision-making response time. 
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Fig. 12. The probability distribution of execution response time. 
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For the decision-making process, a, b and p are considered to be 
equal to 1, 2.5, 1 respectively. These factors give a narrow tail that 
shows there are some decision-making process that may take longer 
time. In addition, these factors give the mean value of the decision- 
making distribution equal to 16.2 seconds, which is in the range of 
required time for decision-making process, according to Chen, Moan and 
Vinnem [6]. The probability distribution of decision making response 
time is presented in Fig. 13. 

The response time of execution follow GIG distribution as in previous 
stages. However, as the required time for this step is shorter than 
decision-making, a, b and p parameters are considered equal to 2, 1 and 
1, respectively. 

The distribution probability of decision-making and execution time 
is presented in Fig. 13. The mean value of the distribution is 21.5 sec- 
onds. Chen, Moan and Vinnem’s [6] study reported a mean value of 22 
seconds for the decision-making and execution time for handling a 
drive-off during a FPSO-ST offloading operation. 


3.4.3. Total reaction time 

Fig. 14 presents the probability distribution of reaction time that 
includes detection, diagnosis, decision-making and execution phases. 
The mean value of the distribution is 81.9 seconds (SD = 36.49; Vari- 
ance = 1332). Chen, Moan and Vinnem’s [6] study reported a mean 
value of 81 seconds for the total response time for handling a drive-off 
during a FPSO-ST offloading operation. 

Confidence intervals on the mean of the response time are presented 
in Table 7. Confidence interval is an interval for which we can assert, 
with a given degree of confidence, that it includes the true mean value 
being estimated. The confidence interval could be calculated as: 
= SD 


AT lfa (3) 





X is the mean; Z is the z-value, presented in Table 7; SD is the standard 
deviation; n is the number of samples, which is equal to 10,000 


4. Discussion 
4.1. Comparison of the applied methods and results 


Table 8 summarizes the findings from the various time analyses 
presented in the previous section. 
The time available based on the STEP analysis of the case study for 
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Table 7 
Confidence intervals for the mean of total reaction time. 
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Table 8 
Overview of analyses and time estimates in seconds. 





Total 
time 
2220 


Analysis Detection Diagnosis Decision Execution 


time time time time 
Section 3.1: 
Timeline 
analysis incident 
report (time 
available) - Early 
warning 
scenario 

Section 3.1: 
Timeline 
analysis incident 
report (time 
available) — 
Recovery 
scenario 


120 





Section 3.2: 
Timeline 
analysis (time 
required) — 
Early warning 
scenario 

Section 3.2: 1 pi 1 
Timeline 
analysis (time 
required) — 

Recovery 
scenario 


41 50 10 181 257 


121 153 





80% 
85% 
90% 
95% 
99% 
99.50% 
99.90% 


1.28 
1.44 
1.64 
1.96 
2.58 
2.80 
3.29 


81.90.47 
81.90.53 
81.90.60 
81.90.72 
81.90.94 
81.91.02 
81.9+1.20 








the early warning scenario (2220 seconds) and the time required for 
handling such a scenario (257 seconds, based on median estimates) 
highlight the fact that the accident could have been prevented if proper 
action was taken then, there was sufficient time to do so. However, when 
comparing the estimates for time required based on the recovery sce- 
nario (time available: 120 seconds; time required: 153 seconds based on 
task analyses (median estimates), or 82 based on the HRT model the 
margins are less favorable, meaning that the operator has almost no 
chance of successfully recovering from a loss of position. Please note that 
the original investigation report only presented the time of the events on 
a minute scale and not on a second scale, on which the other analyses 
were performed, and that the scenarios of the investigation report end in 
collision, whereas the other analysis end-states are a successful recovery. 

The estimates provided for the timeline analysis (time required in 
Section 3.2 and Table 8) are very optimistic, they assume that all actors 
are alert and available at the time of the situation. Especially the esti- 
mates for the early warning scenario, since position-keeping capabilities 
are not directly threatened, it seems reasonable to assume that more 
time is taken to diagnose the situation and decide on the course of ac- 
tion. Often pressures are experienced from the installation to continue 
operations so they can receive and offload all cargo [11], which can 
influence the decision. 

Furthermore, one should take into consideration that the estimates 
for the execution in the timeline analysis for time required are based on 
ending up in a safe end-state, which has been defined as a 100-meters 
away from the installation in a drift-off position. The estimated time 
to arrive at this location is based on all thrusters being functional. This 
end-state differs from the end-state of the human response time model, 
which ends the scenario at the DPO initiating the recovering action and 
not the arrival at the location. The difference constitutes 120 seconds 
based on the time required estimates provided in Table 5 and Table 6. 

The estimates for perceived time available and perceived time 
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Section 3.3: Perceived time available — 
Recovery scenario 
Section 3.3: Perceived time required — 
Recovery scenario 


32 (SD = 24; 
N = 67) 
21 (SD = 14; 
N = 66) 





Section 3.4: Human Response Time model 233 37 16 5 = 82 


(time required) — Recovery scenario 





required tell us that the participants believe there is significant more 
time available than what is required to avoid a collision (see Table 8). 
The perceived time available is so little that it is unlikely it influences the 
decision on how to handle a situation like this, or the decision when to 
initiate action. These responses would have to be almost reflex-like in 
order to be able to succeed under these time pressures. What is more, 
this optimism is despite the fact that most participants are likely to be 
familiar with the Sjøborg accident, and would know that the vessel 
collided with the installation. 

The mean of perceived time available, 32 seconds, is also lower than 
the time available calculated in the timeline analysis, 120 seconds. This 
could be due to the participants estimating time available until the 
point-of-no-return instead of time to collision. 

The human response time (HRT) model estimate (82 seconds) in- 
dicates that there would have been sufficient time to recover from the 
loss of position as it was described in the accident investigation report. 
The accident investigation showed that the DPO was not successful in his 
first attempt to manually take over and move the vessel away from its 
collision course. They had to wait for the master to come to the bridge 
and take over. The master was successful in the manual take over, but 
was too late to avoid a collision. Furthermore, the HRT estimates are 
based on data from a study by Chen, Moan and Vinnem [6], which was 
based on shuttle tanker drive-offs and not supply vessel drift-off. 
Observational data from various DP operations and incident scenarios 
need to be gathered to verify the applicability of these results. 

In summary, the methods differ in the aspect of time they measure, 
the STEP analysis is a retrospective analysis based on incident reports 
where time available is measured. The quality of the analysis is depen- 
dent on the quality of the incident investigation report, any uncertainty 
in the report will be transferred to the STEP analysis. The timeline 
analysis based on the task analyses analyzes the time required to 
perform a task or achieve a goal, the quality of the analysis is dependent 
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on the quality of the task analyses and the representativeness of the time 
estimates gathered from interviews, observations, simulations, and ac- 
cident reports. Furthermore, individual and context factors will always 
vary and the time required estimate is to be viewed as an average. The 
perceived time available and perceived time required estimates are 
based on estimates provided in a survey. These estimates are subjective, 
and are intended as such, however, the interpretation of the question 
could not be controlled in an online survey resulting in uncertainty 
regarding the representativeness of the estimates. The human response 
time model estimates the time required for the operator. Since the input 
to the model is partially based on reaction time studies for a drive-off on 
a shuttle tanker, instead for a drift-off on a supply vessel, there is un- 
certainty regarding the representativeness of the time required esti- 
mates. Further research will need to test the hypothesis that these 
differences do not affect the human response time. The HRT model can 
dynamically provide models for human response times and integrated 
them in online risk models. 

The majority of the applied methods measure different aspects of 
time and are therefore not directly comparable. Only the time required 
measure for the recovery scenario based on the task analyses and the 
HRT model can be compared. The HRT model estimates that time 
required is 82 seconds, and the time required based on the task analyses 
estimates 153 seconds, which is nearly twice as long. This difference can 
be explained by three causes, or a combination of them. First, the time 
required analysis based on the task analyses defined the end-state of the 
scenario as the arrival at the safe location, the time to get to that location 
was estimated at 120 seconds, leaving only 33 seconds for response time 
to the loss of position before initiating the move. Second, this estimated 
response time is optimistic and assumes an operator that is alert, vigi- 
lant, and has the confidence to act personally and adequately. Third, the 
data used in the HRT model is based on a drive-off situation for shuttle 
tankers, this data might not be representative for supply vessels expe- 
riencing a drift-off. 


4.2. QRA and HRA methods and time 


QRA methods mainly take time in consideration to be able to esti- 
mate speed at time of collision. The models are usually simplistic and do 
not include a human reliability analysis to calculate the probability for 
human error and the reliability of the human barrier element. By 
neglecting the human element and the importance of time within the 
safety of DP operations, QRAs are also preventing the identification of 
effective risk mitigating measures. Instead, more attention is directed 
towards structural integrity, since you do what you measure. 

QRA analyses should be improved by including the effect of time on 
the reliability of the human operator. Some of the operational scenarios 
described in Table 1 do not allow for sufficient time for an operator to 
respond, meaning that based on the calculations for time required this 
time simply is not available, leading to an error probability of 1. Having 
an operator monitoring the system, serving as a last barrier in case of 
loss of position, is therefore not a functioning barrier. It is important to 
spread this awareness and avoid a false sense of security and putting 
unrealistic expectations on the operator. The availability of these anal- 
ysis results during the planning phase of the operation will allow the 
operation to install other barriers or change operational set-up 
increasing the separation distance or excursion tolerance, giving the 
operator more time to be able to serve as that last barrier against loss of 
position and avoiding a collision or other negative consequences. 

Furthermore, it is important to include the perceived time available 
and perceived time required into the analysis as well. Few HRA methods 
take this into account, of the six HRA methods mentioned in this paper, 
only the SPAR-H and the Petro-HRA consider the effect of perceived 
time on reliability of the performance of the operator. Only the Petro- 
HRA method takes into account the effect of optimistic time estimates 
by the operator. Creating awareness amongst the operators of time 
available and time required for various loss of position scenarios is 
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critical, because it affects the decision of what kind of exit strategy to 
utilize. This is important to highlight in both the risk analyses prior to 
operation as well as during operation and training. 


4.3. Automation and decision support design and time 


Automation and decision support tools need to be designed with not 
only focus on what to communicate to the operator and how to 
communicate that information, but they also need to be thoughtful 
about when to communicate information. For example, if alarms that are 
given due to reaching or approaching predefined limits for position 
excursion do not give the DPO sufficient time to be able to intervene and 
recover from a loss of position, then either these limits need to be 
redefined or the operating conditions need to change. 

Hollnagel [12] also argues to change the view of decision-making 
and move the focus from which decision alternative is most optimal to 
how to implement that decision and when a decision is made. Within the 
realm of DP operations this means that instead of focusing on whether to 
intervene or not (which are the only alternatives in the studied sce- 
narios) to focus on how to move or remain on location and when this 
decision needs to be made. He further argues that this change in view 
does not only affect the way we view decision-making, but also decision 
support. His views are supported by this study that demonstrate the 
importance of time in the decision-process and the need to focus on the 
“when” of decision-making in decision support tools and risk analyses. 


4.4. Training and time 


Training of operative personnel in realistic settings is essential in the 
preparation for them to be able to handle loss of position scenarios. As 
demonstrated in the time analyses performed and the resulting time 
estimates, there is very little time available for DPOs to recover from a 
loss of position before the loss will result in a collision or other serious 
consequences. Realistic training settings are important for experiencing 
the time pressures first hand. Moreover, the awareness of the time 
pressures in a loss of position scenario will also instill the operator with 
confidence to take early warnings of potential loss of position scenarios 
more seriously. If they do not act on the early warnings signs, then they 
could end up in a situation where they have less than 1,5 minutes to 
prevent a collision. 

To understand the time available and time required, DPOs need to be 
educated about the time the technical system requires to complete 
certain actions, such as recalibration of the reference systems and 
turning of thrusters. Furthermore, DPOs need to experience the time 
available and time required to handle various loss of position scenarios. 
When teaching about decision-making during these types of scenarios 
time needs to be highlighted as a critical factor. 


4.5. Limitations and future work 


The time required analysis is based on only three interview partici- 
pants, the interview data can be considered saturated, since consensus 
was reached in the results presented in this paper. However, to obtain 
more robust results further interviews could be conducted or the results 
can be supplemented by observations in a simulator. The estimates 
provided in this study are, therefore, to be interpreted with this limi- 
tation in mind. 

For the scenario description of the survey for perceived time avail- 
able and perceived time required was unable to avoid association with 
the case study: the Sjøborg incident. The authors therefore decided to 
reference the incident in the description and ask the participants to not 
base their estimates on what they know about the further course of 
events. However, their knowledge about the incident has undoubtedly 
colored their estimates, if not the knowledge that the loss of position 
incident led to a collision. Further research should therefore consider 
including a hypothetical scenario, where these factors cannot affect the 
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estimates of the participants. 

The shape and scale parameters of the HRT model are based on the 
experimental data obtained from a study performed by Chen, Moan and 
Vinnem [6]. However, as mentioned earlier this data is based on 
modeling a FPSO-ST drive-off scenario, and this paper assumed that the 
obtained response time obtained are transferable to the scenario in this 
paper which models a drift-off on a supply vessel. This assumption is 
rather weak, because there are several differences in operating condi- 
tions between supply vessels and FPSO-ST operations [9]. For example, 
the distance between the vessel and the collision object varies from, 
typically 80 meters for shuttle tankers, to as little as 20 meters for supply 
vessels. This does not only affect time available, but also the perceived 
stressfulness of the situation, which again can affect performance [2,3]. 
DPOs on a shuttle tanker received additional warnings about loss of 
position from changes in tension on the loading hose, which is not 
available on a supply vessel. These considerations limit the trans- 
ferability of the results of the HRT model. Additional experimental data 
on response times for several scenario and operational types needs to be 
gathered to test the assumption that the data from the study by Chen, 
Moan and Vinnem can be utilized as input to the shape and scale pa- 
rameters of the HRT model, modeling different scenarios. 

Moreover, future research should look into further developing the 
HRT model and integrating it with the dynamic simulation. The inte- 
gration of these two models could present dynamic time required and 
dynamic time available to an operator. If this research is taken one step 
further then these values could be included in a general online decision 
support tool, where time is a critical factor. The online dynamic decision 
support tool will deliver a better risk picture and will support the dy- 
namic nature of decision-making for DP operations ranging from reac- 
tive emergency management to a pro-active approach where decision 
scenarios could be analyzed and anticipated based on real-time infor- 
mation. One such possibility would be to simulate all alternative deci- 
sion scenarios and provide an approximate time scale and safety level of 
each scenario. This would include scenarios that have a simulated time 
available that exceeds time required as modelled by the HRT model. 
Another option would be to allow the operator(s) to be informed about 
the event and sequence probabilities in the near future. This information 
could help operator(s) to readjust system configuration with improved 
knowledge about the system, operation and the timeline of future states. 


5. Conclusion 


In this paper, the importance of time in the risk of DP operations has 
been highlighted by presenting the analyses of time through several 
methods based on a case study. Neglecting the various ways in which 
time influences the safety of DP operations prevents the identification of 
effective risk reducing measures. More time needs to be spent on 
educating risk analysists and designers on the importance of all aspects 
of time. Designers can introduce technological solutions that allow for 
more time for recovery actions and HMI solutions that support the 
operator better when working under time pressure. Risk analysts and 
risk managers need to identify risks related to the time to capture the 
dynamic nature of risk associated with dynamic positioning operations. 
Only when time is included correctly the risks can be adequately dealt 
with. Furthermore, DPOs need to be trained so they understand the 
relationship between time available, time required, perceived time 
available and perceived time required and how their work is affected by 
this relationship. As can be seen from the results of the various analyses 
presented in this paper the margins between the time that is required 
and the time that is available are too close and in some cases insufficient. 
Furthermore, there are also discrepancies between the perceived time 
available and required that could affect the performance of the operators 
under similar conditions. Awareness around time available and time 
required should promote operators to always increase their distance to 
collision objects as much as possible, to increase time available in case 
position-keeping capabilities are compromised. Future research into 


17 


Reliability Engineering and System Safety 207 (2021) 107347 


decision support models for DP operations need to integrate time 
required, time available as prominent, dynamic factors, and need to be 
risk-based. For example, by integrating the HRT model with a dynamic 
simulator for vessel movement during DP operations. Supporting oper- 
ators in their awareness of risk dynamically over time will help opera- 
tors prevent and recover from loss of position incidents and contribute to 
safer DP operations. 
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